EV0024.txt

2006-01-22T00:00:00
ID PACKETSTORM:43258
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2006-01-22T00:00:00

Description

                                        
                                            `New eVuln Advisory:  
CaLogic Calendars Multiple XSS Vulnerabilities  
http://evuln.com/vulns/24/summary/bt/  
  
--------------------Summary----------------  
  
Software: CaLogic Calendars  
Sowtware's Web Site: http://www.calogic.de/  
Versions: 1.2.2  
Critical Level: Moderate  
Type: Cross-Site Scripting  
Class: Remote  
Status: Unpatched  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
eVuln ID: EV0024  
  
-----------------Description---------------  
Most of user-defined variables are not properly sanitized. Most user data may contain html tags. Tag <script> is replaced by < script > But this is not enought to prevent posting a script code. User data may contain <iframe> tag.  
  
This can be used to post arbitrary html or script code which will be executed by browser of every visitor.  
  
--------------Exploit----------------------  
Example:  
  
Adding New Event page:  
  
Title value: <XSS>  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
`